If you are a UK based education organisation you may want to join the UK education specific 'UK Access Management federation for Education and Research' (sometimes called the UK fed).
The first thing to do is check if you have UK fed enabled in OpenAthens and have our service desk enable it if not. To check: access the administration area and go to Management > Connections. Look for entry in the federations section. You will need to reference these details later.
Their website has all the details
If there is no existing registration our service desk can quickly add one. Your 'scope' will be the same across all federations but your entityID can be different in the UK fed if you need it to match an existing entity - e.g. if you were upgrading from Shibboleth. If you do not specify an entityID, our service desk will duplicate your OpenAthens federation entityID (recommended).
Now you are ready to register with the UK fed.
Their website should be your source of details for the process:
The relevant bits of information for the second part, where were are the 'outsourced IdP'
The name of the external organisation providing the outsourcing service. This organisation must itself be a member of the federation.
The of the identity provider which the external organisation proposes to use on behalf of the applicant. (The external organisation should be consulted to obtain this information.)
Insert here about us that you will need to tell them from the 'RegisterOtherIdP' pages are below. This may be all you need if you are already a member.
Most of this section is not applicable. The part that is important is that you control the entityID and scopes associated with your organisation and what that comes down to is the domain name that is being used for your entityID and scope - e.g. institution.ac.uk in https://idp.institution.ac.uk/openathens is owned by you. This should have been checked by us when you joined, but you should confirm.
Registration procedure section
This is the person they will want to deal with and accept future requests from. If it's not going to be you, pick someone who will recognise what any email from them is about.
Tell them you're using OpenAthens
Information required for registration section
Use the entityID displayed in your administration area
If the domain name contained within the entityID belongs to the applicant rather than to the external organisation, an explicit statement by the applicant approving the use of the entityID by the external organisation.
Yes, I am happy for Eduserv to do that on my behalf
Any identifier assigned to the applicant by the external organisation.
Repeat your entityID here
A contact person (name and email address) within the external organisation.
OpenAthens Service Desk
The security domain(s) that the applicant grants authorisation to the external organisation to assert on its behalf. This normally corresponds to the applicant's registered DNS domain(s). This should be specified in lower case.
as described above. E.g.
Use the scope displayed in your administration area as described above. E.g.
Say yes, unless you are registering a new entity as part of upgrading from Shibboleth or similar
If you say 'yes', you should ensure that the auto delete function is set longer than three months and that users will be promptly expired when they leave. If you have local policies that conflict with that you can say 'no'.
Optional. You can say "OpenAthens". You won't need to specify versions or types as there is only one.
Optional. If you want to specify one, first make sure you have uploaded one under Preferences > Domain. You will need to do this if you're going to be using the student voter registration service.
You will need to know your OpenAthens domain
(usually the same as
) and your
number. Both can be seen on the
Organisations page (
Once you've filled them in, test the link - e.g. https://login.openathens.net/images/peckhamtraders.com/o/68420974/fullsize.png
Organisation display name
Probably the same as you've told us
Your website's homepage
Contacts - support, technical and administrative - should all be:
"OpenAthens Service Desk - firstname.lastname@example.org"
Automatically generated metadata
In most cases, this will be in the form:
... where domain is your OpenAthens domain, usually the same as your scope. See: How to access your login.openathens.net metadata
If you want to view this in your browser you may need to add a ?browser parameter need to have a different entityID in the UK Access Management federation from the one you have in the OpenAthens federation then you will need to add /c/ukfed to the end of the link, e.g.metadata address - examples:
For most users: https://login.openathens.net/saml/2/metadata-idp/institution.ac.uk?browser
Manually specifying connection settings
The metadata address should be sufficient for most SAML targets, however some may instead want you to specify endpoints, certificates and other data manually instead. If they do:
Endpoints / SSO address:
UK fed specific entityID:
This will be the x509 certificate in the , topped and tailed as follows. This is sometimes called PEM format.
-----BEGIN CERTIFICATE----- Hi7cUUpCAqagAwIBAgIEVOxCIjANBgkqhkiG9w0BAQsFADCBoDEoMCYGCSqGSIb3DQEJARYZYXRo ZW5zaGVscEBlZHVzZXJ2Lm9yZy51azELMAkGA1UEBhMCR0IxETAPBgNVBAgMCFNvbWVyc2V0MQ0w CwYDVQQHDARCYXRoMRAwDgYDVQQKDAdFZHVzZXJ2MRMwEQYDVQQLDApPcGVuQXRoZW5zMR4wHAYD VQQDDBVnYXRld2F5LmF0aGVuc2Ftcy5uZXQwHhcNMTUwMjI0MDkyMDA2WhcNMjUwMjI0MDkyMDA2 WjCBoDEoMCYGCSqGSIb3DQEJARYZYXRoZW5zaGVscEBlZHVzZXJ2Lm9yZy51azELMAkGA1UEBhMC R0IxETAPBgNVBAgMCFNvbWVyc2V0MQ0wCwYDVQQHDARCYXRoMRAwDgYDVQQKDAdFZHVzZXJ2MRMw EQYDVQQLDApPcGVuaXRoZW5zMR4wHAYDVQQDDBVnYXRld2F5LmF0aGVuc2Ftcy5uZXQwggEiMA0G CSqGSIb3DQEBAQUAn4IBDwAwggEKAoIBAQCandpa4o0Njtw1DqbrrNTfOVe1PqyXIIVmDrJ6VUR/ mokXXu+m5Gm+1f+3ayN5IA2YMn9Z8Yo37JQjIHs+xVS3q4nT1ewS7S3en1pdXKsH1WnUnVWUmpl9 WJZrUwi5i8X80LNyd7PmudhuKNEATGUXkA/xWCkk2d8jf91hy7Qu+HA8LOKtdbbNigErh2IY/YuN WUVUqgGbMH5BGr7ZahPrz+Vwcf9lhPW+tKpKpZEzJfQiq8EoPaeMXEpKWBEErm67gkWFCA5VhfcJ LqFjQEC3pWOxt5rZRS8gl/Z33VSJZVzY5jWcQzmGaLXPHXyiKPmixl6+DjGlUM0ylNF7GvtDAgMB AAEwDQYJKoZIhvcNuQELBQADggEBAFhmhujLZueiJ6F7mQCpfB0Hj4Y8FyFUUc8NMAt5Set7H4DK SSl4shcqisZBa5yTlyenYwkmBszvCWs6Yeep+zJmCR62cb/f1M32oMzLm02OlznWMkE8/IajGmdx TnB6Z/XcdMMIiCeoe4kqe5KMd5oRAyNskHYZ+8kzhs2zTveR+rqCtYxa/AYpwf7n0VQR9clBSNCI T4BCRi10aPE531VIsl4ljY3CwNoZ4lQTU/0aj8O4j68V2neiQb8lewAii0b2xoyOGYP4okd7T2tl 4gl2noVbCvYNjd6GYze/w4lgwiemkby7wu5sN1lEudgKDV+H54wU29ZIyDEFM6DDNE4= -----END CERTIFICATE-----
Issuer / IDP issuer / identifier
Your entityID, e.g.
Binding / Binding type / IDP Binding
This should be 'Redirect' rather than 'Post'.